As more and more computers and other computing devices are interconnected through various networks such as the Internet, computer security has become increasingly more important, particularly from invasions or attacks delivered over a network or over an information stream. As those skilled in the art and others will recognize, these attacks come in many different forms, including, but certainly not limited to, computer viruses, computer worms, system component replacements, denial of service attacks, even misuse/abuse of legitimate computer system features, all of which exploit one or more computer system vulnerabilities for illegitimate purposes. While those skilled in the art will recognize that the various computer attacks are technically distinct from one another, for purposes of the present invention and for simplicity in description, all malicious computer programs that spread on computer networks, such as the Internet, will be generally referred to hereinafter as computer malware or, more simply, malware.
When a computer system is attacked or “infected” by computer malware, the adverse results are varied, including disabling system devices; erasing or corrupting firmware, applications, or data files; transmitting potentially sensitive data to another location on the network; shutting down the computer system; or causing the computer system to crash. Yet another pernicious aspect of many, though not all, computer malware is that an infected computer system is used to infect other computer systems that are communicatively connected by a network connection.
A traditional defense against computer malware and, particularly, against computer viruses and worms, is antivirus software that is available from numerous software vendors. Most antivirus software identifies malware by matching patterns within data to what is referred to as a “signature” of the malware. Typically, antivirus software scans for malware signatures when certain events are scheduled to occur, such as when data is going to be written or read from a computer-readable medium on the computer. As known to those skilled in the art and others, computer users have ongoing needs to read and write data to computer-readable mediums, such as a hard drive. For example, a common operation provided by some software applications is to open a file stored on a hard drive and display the contents of the file on a computer display. However, since opening a file may cause malware associated with the file to be executed, antivirus software typically performs a scan or other analysis of the file before the open operation is satisfied. If malware is detected, the antivirus software that performed the scan may prevent the malware from being executed, for example, by causing the open operation to fail.
In order to scan a file for malware, an operating system installed on the computer loads file data from a computer-readable medium into system memory that is accessible to the Central Processing Unit (“CPU”). The CPU performs essential operations on behalf of the antivirus software in searching for malware. Those skilled in the art and others will recognize that loading file data from a computer-readable medium into system memory is often a “bottleneck” in a computers performance. As a result, a CPU frequently remains idle, waiting to perform operations while data is being loaded into system memory.
While computer-readable mediums are typically inexpensive to produce and store vast quantities of data, reading and/or writing data from this type of device is slow when compared to reading and/or writing data from system memory. A primary reason why reading and/or writing data using a computer-readable medium is slow stems from the fact that this type of device employs a read/write head that typically uses electromechanical means to interact with a media where data is stored. Those skilled in the art and others will recognize that a read/write head is only able to read data when media with which it interacts spins under the read/write head. The physical movement of media in passing underneath a read/write head is slow when compared to mechanisms used to read/write data from more expensive system memory. As a result, modem computer systems typically implement optimizations designed to minimize the time required to read and/or write data from a computer-readable medium. For example, data in a file will typically be defragmented or arranged contiguously on a computer-readable medium to minimize the number of “seek” operations in which data from disparate locations on a computer-readable medium is required to pass under a read/write head.
For a variety of reasons, scanning a file for malware is a resource intensive task that limits the speed in which programs may be executed. One reason that scanning a file for malware is a resource intensive task results from the fact that antivirus software may not access data in a file contiguously. Instead, when scanning a file for malware, some antivirus software only scans data that is needed to determine whether the file is infected and may request data in the file without regard to where the data is located. Thus, antivirus software may initially request and obtain data that is located at the end of the file and then make subsequent requests for data that is located in other parts of the file. As a result, numerous “seek” operations are performed to determine whether a file is infected with malware.